4. IPSec will not connect (racoon: couldn't find configuration)

IPSec will not connect (racoon: couldn't find configuration)

  • B

    Hey, guys.

    I'm having a problem with my IPSec configuration.
    On one side, everything works out pretty nice.
    On the other side, racoon is making bad noises about not finding a correct configuration.

    "ERROR: couldn't find configuration."

    However, if I kill racoon, and run it in the foreground with debug output on, I get some more information.

    2008-07-16 16:06:27: DEBUG: ===
    2008-07-16 16:06:27: DEBUG: 100 bytes message received from <remote_ip>[57413] to <local_ip>[500]
    2008-07-16 16:06:27: DEBUG:
    ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034
    00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0
    80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
    77570100
    2008-07-16 16:06:27: DEBUG: no remote configuration found.
    2008-07-16 16:06:27: ERROR: couldn't find configuration.

    The configuration is pretty straight forward, generated by pfSense.

    cat racoon.conf

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote <remote_ip>{
          exchange_mode main;
          my_identifier address "<gw on="" correct="" vlan="">";

    peers_identifier address <remote_ip>;
          initial_contact on;
          support_proxy on;
          proposal_check obey;

    proposal {
                  encryption_algorithm 3des;
                  hash_algorithm sha1;
                  authentication_method pre_shared_key;
                  dh_group 2;
                  lifetime time 2400 secs;
          }
          lifetime time 2400 secs;
    }

    sainfo address <local_network>any address <remote_network>any {
          encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
          authentication_algorithm hmac_sha1,hmac_md5;
          compression_algorithm deflate;
          lifetime time 1200 secs;
    }

    Here is the weird thing; if I change that remote stanza to read

    remote anonymous {
    blah;
    }

    then everything works out nice, racoon even tells me it uses the anonymous stanza for that correct IP.

    2008-07-16 16:11:06: DEBUG: anonymous configuration selected for <remote_ip>.

    So, to me this seems really odd, how come racoon isn't picking up that stanza when configured like pfsense configures it ?
    Using the remote stanza is not what I really want, and either way I can't see a way to make pfsense generate one of those either.

    So, does anyone have any ideas on what is going on here ?
    Using tcpdump I can see that it is in fact my <remote_ip>that is coming through to racoon, on port 500/UDP.

    Thanks for a great product, by the way.</remote_ip></remote_ip></remote_network></local_network></remote_ip></gw></remote_ip></local_ip></remote_ip>

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy